IETF Logo Mail Archive

Re: [TLS] [Technical Errata Reported] RFC5288 (4694)

Atul Luykx <Atul.Luykx@esat.kuleuven.be> Mon, 16 May 2016 03:51 UTC

Return-Path: <atul.luykx@esat.kuleuven.be>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8C2012D599 for <tls@ietfa.amsl.com>; Sun, 15 May 2016 20:51:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.626
X-Spam-Level:
X-Spam-Status: No, score=-5.626 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hBypuNclueYA for <tls@ietfa.amsl.com>; Sun, 15 May 2016 20:51:01 -0700 (PDT)
Received: from cavuit02.kulnet.kuleuven.be (rhcavuit02.kulnet.kuleuven.be [IPv6:2a02:2c40:0:c0::25:130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 944A912D10E for <tls@ietf.org>; Sun, 15 May 2016 20:51:01 -0700 (PDT)
X-KULeuven-Envelope-From: atul.luykx@esat.kuleuven.be
X-KULeuven-Scanned: Found to be clean
X-KULeuven-ID: E5B6212802D.A3CCF
X-KULeuven-Information: Katholieke Universiteit Leuven
Received: from icts-p-smtps-1.cc.kuleuven.be (icts-p-smtps-1e.kulnet.kuleuven.be [134.58.240.33]) by cavuit02.kulnet.kuleuven.be (Postfix) with ESMTP id E5B6212802D; Mon, 16 May 2016 05:50:52 +0200 (CEST)
Received: from hydrogen.esat.kuleuven.be (hydrogen.esat.kuleuven.be [134.58.56.153]) by icts-p-smtps-1.cc.kuleuven.be (Postfix) with ESMTP id E1E4C403B; Mon, 16 May 2016 05:50:52 +0200 (CEST)
Received: from cobalt.esat.kuleuven.be (cobalt.esat.kuleuven.be [134.58.56.187]) by hydrogen.esat.kuleuven.be (Postfix) with ESMTP id DC37A60030; Mon, 16 May 2016 05:50:52 +0200 (CEST)
Received: from webmail.esat.kuleuven.be (localhost [127.0.0.1]) by cobalt.esat.kuleuven.be (Postfix) with ESMTP id D57C440; Mon, 16 May 2016 05:50:52 +0200 (CEST)
Received: from 94-224-67-16.access.telenet.be ([94.224.67.16]) by webmail.esat.kuleuven.be with HTTP (HTTP/1.1 POST); Mon, 16 May 2016 05:50:52 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Content-Transfer-Encoding: 7bit
Date: Mon, 16 May 2016 05:50:52 +0200
X-Kuleuven: This mail passed the K.U.Leuven mailcluster
From: Atul Luykx <Atul.Luykx@esat.kuleuven.be>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4C817BE@uxcn10-5.UoA.auckland.ac.nz>
References: <20160514082717.7997D180004@rfc-editor.org> <9A043F3CF02CD34C8E74AC1594475C73F4C80CD0@uxcn10-5.UoA.auckland.ac.nz> <CAN8NK9EaDQ-Pugi2j=3KcXrn5G-8mcXVs4O2HGCkH7h7GSKbbA@mail.gmail.com> <9A043F3CF02CD34C8E74AC1594475C73F4C80F76@uxcn10-5.UoA.auckland.ac.nz>, <CAN8NK9Gn9iK72dBq3opQ2E_HEZyVB+ysCqo5JxMH8vHhy4gEEg@mail.gmail.com> <9A043F3CF02CD34C8E74AC1594475C73F4C817BE@uxcn10-5.UoA.auckland.ac.nz>
Message-ID: <a05f1e9d02a96721479a0de75e335cc4@esat.kuleuven.be>
X-Sender: aluykx@esat.kuleuven.be
User-Agent: ESAT webmail service, powered by Roundcube
X-Virus-Scanned: clamav-milter 0.99 at cobalt
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/uhcag1kA6jhfSYVLvH1EeNjtWGQ>
Cc: mcgrew@cisco.com, tls@ietf.org, RFC Errata System <rfc-editor@rfc-editor.org>
Subject: Re: [TLS] [Technical Errata Reported] RFC5288 (4694)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 May 2016 03:51:03 -0000

Here's a possible re-write of the second paragraph:

Nonce re-use in AES-GCM results in failure of both confidentiality and 
authenticity. Not only will confidentiality be breached by leaking the 
XOR of any two packets processed under the same nonce, but TLS sessions 
can also be attacked through forgery by an adversary. For example, in 
the case of HTTPS sessions content injection, XSS, and other attack 
vectors are possible.


Original text:

Security of AES-GCM requires that the "nonce" (number used once) is
never reused. The IV construction in Section 3 does not prevent
implementers from reusing the nonce by mistake. It is paramount that
the implementer be aware of the security implications when a nonce
is re-used even once.

Nonce re-use in AES-GCM results in catastrophic failure of it's
authenticity. Hence, TLS sessions can be effectively attacked through
forgery by an adversary. In the case of e.g. HTTPS sessions content
injection is possible, XSS and other attack vectors.


On 2016-05-16 05:32, Peter Gutmann wrote:
> Aaron Zauner <azet@azet.org> writes:
> 
>> If so, could you suggest better wording for this specific paragraph?
> 
> I would just leave it as "nonce", with no attempt at a definition.  If 
> there
> are any cryptographers who don't know what a nonce is they can look it 
> up.  If
> they use an authoritative source they'll get the correct definition, 
> and if
> they use Wikipedia they'll get Wikipedia's definition.
> 
>> I wouldn't cite Wikipedia in an academic publication, but it's what 
>> pops up
>> first if someone looks for "nonce" via a Google search
> 
> That doesn't make it correct, it just makes it the most popular 
> misconception.
> For another crypto example, look up HDCP and Blom's Scheme on 
> Wikipedia, and
> see how much resemblance that bears to reality.
> 
>> This document is on TLS cipher-suites, not AES-GCM in general. This 
>> attack
>> isn't applicable here for various reasons. But I agree that the errata 
>> could
>> be clearer here. What'd be your suggestion as an addition or change? 
>> I'm sure
>> the relevant editors will be willing to amend/change my wording in 
>> this
>> errata.
> 
> Since the paper for the Black Hat talk hasn't been published, I don't 
> know
> what the actual problem is (and by extension what the various reasons 
> are),
> but if you reuse a nonce I can't see how it would affect auth but not
> confidentiality, since you'd be generating a repeated cipher stream.  
> If
> confidentiality isn't affected then there should probably be a note 
> explaining
> why, since my immediate reaction to a comment about nonce reuse would 
> be
> "complete failure of the entire mode".
> 
> Peter.
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email